Spying With GMail

If you haven’t noticed, there’s lately been an overabundance of news about Google, including a deluge of product announcements, GMail privacy histrionics, and IPO speculations. Though I’m reluctant to contribute to the insanity, there is one element of the GMail privacy flap that I haven’t yet seen discussed, and so I feel the need to discuss the topic.

The GMail privacy discussions have taken one of two predictable forms. In one camp, privacy advocates tug their tinfoil hats further down their heads, and mutter to themselves that GMail will inevitably be bad because allowing someone to read all your email is never a good thing. In the other camp, seemingly level-headed, though somewhat indifferent, pseudo-champions of GMail point out that no one is holding a gun to anyone’s head – if you don’t want Google or advertisers getting access to your email, they say, simply don’t use the service.

Into this arena, I would like to present a third possibility: GMail might be a threat to your privacy, even if you don’t use the service. To illustrate how this is possible, it’s necessary to understand a little about signaling.

If you want to know whether or not a major operation is underway at the local FBI office, there’s a simple way to find out: watch the office over a long period of time and record the number of pizzas deliveries. Those nights that differ significantly from the average represent nights on which an operation is underway. Though this example is known to be an urban legend, it does provide a simple example to use to explain signaling – as you can probably guess, signaling reveals information to an outside party through an indirect channel. In the case of the FBI example, someone monitoring the deliveries knows that something is up; however, they don’t know exactly what operation is taking place. Nevertheless, the signal that the FBI is working harder/later than usual may be enough to convince a criminal to change their plans, and hence foil the FBI’s operation.

So how does this relate to GMail?

Well, you have to consider how Google’s advertising system, AdWords, works. Anyone can get an AdWords account with Google, allowing them to create a campaign that will display a specific advertisement to users when they search for the keywords associated with the campaign. For example, I created an AdWords campaign for my book, associating a simple text ad with the keywords “java”, “p2p”, and “jxta” – whenever someone entered those words into Google, they saw my ad.

Google’s AdWords system provides an advertiser with reports on the ad campaign detailing the number of times an advertisement has been displayed and the number of times a user has clicked on the ad. Though the AdWords administrative interface doesn’t report who saw my advertisement, throwing GMail into the mix makes this irrelevant. In order for me to be able to spy on a GMail user, I only need to carefully craft an AdWords campaign with a very specific set of keywords, and monitor if anyone ever triggers the display of my advertisement. This technique allows any user, not just Google, to effectively monitor GMail-based email communications, and only requires one of the parties (preferably the recipient) to be a GMail user.

Is this attack practical for general-purpose spying? Probably not. It’s unclear at this point whether GMail uses email headers that would permit this attack to be specific to an email address. It’s also unclear whether Google will filter out proper names to limit the ability of an attacker to target a particular person. However, an attacker could conceivably use knowledge of their victim to tailor the AdWords campaigns’ keywords to be arbitrarily precise.

That said, this flaw isn’t as bad as it seems – I doubt we’ll see companies blocking access to GMail, or filtering email destined for GMail accounts. After all, companies a hemorrhaging intellectual property via unencrypted email every day. Though this attack may allow GMail to be used to spy on a user from afar, the limited scope of any attack puts its risk below most of the other virus or spyware-based threats.

2 comments

jeff kJuly 29, 2004

That’s a nice catch.
If you know an email address or name of somebody at google then you could target an ad at them to get your flaw heard.
For instance buy “Susan Wojciki” (I think that’s the name of a high level google PM) and “sex” and “google” and make the ad read: “Susan, I see you’re talking about sex again” or something along those lines.
Of course you could just report it as a bug, but where’s the fun in that?

former gmail userJune 8, 2005

Great article.

Just a side note.
I stopped using gmail because of the privacy issue but not because of the basic day to day emails I get and send but because of attchments. If you try to send an email through gmail with and .zip or .rar attachment that has password protection it will fail with a message stating something to the affect of “for protection and security reasons gmail does not allow the .exe to be sent” But if you remove the passord protect no problem. THEY PARSE EVERYTHING!!!!!! STAY AWAY. Think how much damage can be done with a resume.